3 releases (breaking)
0.3.0 | Dec 9, 2023 |
---|---|
0.2.0 | Dec 6, 2023 |
0.1.0 | Dec 4, 2023 |
#1369 in Filesystem
18KB
198 lines
Path
Ratchet
Prevent path traversal attacks at type level.
use std::path::PathBuf;
use path_ratchet::prelude::*;
let user_input = "/etc/shadow";
let mut filename = PathBuf::from("/tmp");
filename.push_component(SingleComponentPath::new(user_input).unwrap());
lib.rs
:
PathBuf::push
allows any form of path traversal:
#
let user_input = "/etc/shadow";
let mut filename = PathBuf::from("/tmp");
filename.push(user_input);
assert_eq!(filename, PathBuf::from("/etc/shadow"));
Contrary <PathBuf as PushPathComponent>::push_component
requires a path with only a single element.
use std::path::PathBuf;
use path_ratchet::prelude::*;
let user_input = "/etc/shadow";
let mut filename = PathBuf::from("/tmp");
filename.push_component(SingleComponentPath::new(user_input).unwrap());
Security
It is essential to check the path on the same platform it is used on.
As an example the path C:\path\to\file.txt
will be interpreted as a file or directory name on an UNIX-system.
SingleComponentPath::new(r"C:\path\to\file.txt").unwrap();